The Expert's View with Jeremy Kirk

Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

'Tech Accord' Emphasizes Teamwork to Prevent Hacking Damage

Agreement Includes Pledge to Not Aid Governments With Cyber Warfare
'Tech Accord' Emphasizes Teamwork to Prevent Hacking Damage
Microsoft President and Chief Legal Officer Brad Smith speaks at the 2018 RSA Conference. (Photo: Mathew Schwartz)

At last year's RSA Conference, Microsoft's President and Chief Legal Officer Brad Smith called for a digital Geneva Convention - an agreed set of rules in cyberspace. The idea was to minimize the effects of escalating cyber conflicts on civilians.

See Also: 5 Requirements for Modern DLP

Such a universal treaty among countries has so far been elusive despite concerns that rules around cyber conflict are needed. But at this year's RSA Conference, Smith says private industry is making progress with a new agreement called the Cybersecurity Tech Accord.

Thirty-four companies have agreed to four principles that broadly encompass protecting users wherever they may live and a stronger esprit de corps between companies and organizations trying to defend in an ever-more hostile environments.

"The attacks from the past year demonstrate that cybersecurity is not just about what any single company can do alone, but what we can do together," Smith tweeted.

According to an estimate from Juniper Research, the economic losses from cyberattacks may reach an astounding $8 trillion by 2022.

The Tech Accord comes as the U.S and U.K. on Monday issued an unprecedented joint statement accusing Russia of undermining a wide range of network equipment. The countries warned that Russia could be gaining foothold from which to launch future cyberattacks. Russia was also blamed for creating NotPetya, a potent ransomware that targeted Ukraine but eventually spread worldwide (see US, UK: Russian Hackers Deeply Embedded in Routers, Switches).

Cohesive Defense

The accord is designed to form a more cohesive defense among private companies, researchers, "civil society" and nongovernmental organizations against the range of threats. It also crucially includes a pledge to not assist governments in cyberattacks.

"We will protect against tampering with and exploitation of technology products and services during their development, design, distribution and use," Smith writes in a blog post. "We will not help governments launch cyberattacks against innocent citizens and enterprises."

Tension sparked between Microsoft and the U.S. government following the WannaCry ransomware outbreak in May 2017. The ransomware used a vulnerability in Microsoft's operating system to rapidly spread, causing millions of dollars in damages. North Korea has been accused by the U.S. and U.K. of developing WannaCry (see British Security Services Tie North Korea to WannaCry).

The vulnerability was believed to have been one of the most productive ones used by U.S. National Security Agency. But a mysterious group calling itself the Shadow Brokers leaked the vulnerability in April 2017. By then, Microsoft had become aware of the flaw and patched it a month earlier, but it was too late for many organizations that didn't apply it.

Microsoft was subsequently furious, with Smith warning that the stockpiling of vulnerabilities by intelligence agencies puts innocent people at risk. The U.S. government has a program, the Vulnerabilities Equity Process, to share flaws with vendors. But there's a fuzzy trade-off between intelligence-gathering needs and prompt notifications (see Post-WannaCry, Microsoft Slams Spy Agency Exploit-Hoarding).

Usual Bromides?

In many ways the Tech Accord reiterates what should already be happening: Technology companies should be closely collaborating to defend against cyberattacks. But Smith maintains the public commitment will provide the binding that will result in action.

"The success of this alliance is not just about signing a pledge, it's about execution," Smith writes. "That's why today is just an initial step, and tomorrow we start the important work of growing our alliance and take effective action together."

The signatories include some of the most prominent technology companies, including Cisco, Juniper, Facebook, BT, CA Technologies and Symantec. Smith writes that "in the coming weeks and months, we are confident that these numbers will grow further."

(Source: Microsoft)

Smith's announcement falls short of what he outlined last year, when he envisioned governments signing on to an international agreement. Still, anything that helps bring private industry closer is important.

Private companies often are the first to spot hints of state-sponsored attacks. A renewed effort for more cohesive collaboration could slow down the next global cyberattack.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.